Expert: Skype Worm No Cause for Panic
Security research firm Bkis earlier this month warned of a vicious virus targeting both Skype and Yahoo! Messenger. BKIS said in a blog post the attack involved inserting malicious URLs into chat windows with sophisticated social engineering hooks.
Also see Social Engineering: The Basics
Each time, the messages sent have different contents, noted Bkis researchers. Examples include "Does my new hair style look good? bad? perfect?" "My printer is about to be thrown through a window if this pic wont come our right. You see anything wrong with it?" The message contains a link to a web page that appears to lead to a JPEG or image file.
"The users are more easily tricked into clicking the link by these messages, because users tend to think that "their friend(s)" are asking for advice," Bkis said in its posting. "If a user clicks the link, his browser will immediately load to a website with Rapidshare-like interface, and a .zip file will be available for download."
The W32.Skyhoo.Worm, as it was named by Bkis, automatically exits if the victim's computer is not installed with Skype or Yahoo! Messenger and automatically sends messages with different contents containing malicious URLs to user names in the Skype/Yahoo! Messenger friend list of the user. Michael Gough, owner of the web site skypetips.com, and author of 'Skype Me! From Single User to Small Enterprise and Beyond ,' spoke to CSO earlier this year about Skype's benefits and challenges in the business environment (See Skype security: Is the popular VOIP service safe for business?).
Gough said while this virus is targeting Skype, it's really social engineering and awareness that need to be considered.
"If I can get you to install anything I own the system and the applications, it does not matter which app," said Gough. "The fact this is taking advantage of Skype is secondary or almost moot. Skype has APIs and functionality that allows this to be used. If Skype wants to change the code to prevent this from happening they may break or disable functionality they actually wanted to provide."
In other words, according to Gough, don't knock Skype for this attack. Instead focus on awareness among users if you are using Skype in the workplace and give them a warning about social engineering rather than worrying about the application's security.
"This is actually just another social engineering attack," Gough told CSO. "The user has to be fooled into downloading and installing a piece of malware. So really it is not attacking Skype, it is trying, in many cases successfully to fool a user to provide access and then use an application, in this case Skype to proliferate more social engineering."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.